For those of you who know me, Henry was my basset hound, and the fictitious name used during (ahem) special research. I'm a former intelligence officer, a professional analyst, and a blogger since 2004 writing about my experiences on the journey --information security, cyber intelligence, education, thoughts. Some love my writings others hate it. If you like it, follow me!

Saturday, March 26, 2016

Iraq's new drone, the Chinese C-4 drew first blood against ISIS, according to an article in Popular Science. And this made me think back... for how many years did we chase Chinese espionage from networks where these things were built? And while I have no idea what the guts of these birds look like, they certainly look similar on the outside.

Iraq's new C4, Optics retracted to reduce drag during flighthttp://www.popsci.com/

The report discussed general trends, but relating to this morning's blog was the idea that UAVs were near the top of the targeting list... and they had been for five years. So based on that thinking, 2004-2009 were peak UAV harvesting years, at a time when only the US had them. In a previous post, I reported that a US bird (at the time) was selling for $3.2 mil, while the Chinese version was selling for ~$800,000 (USD). And now, just a few years later, we're seeing the results of that espionage activity in the air, flying against ISIS. Good for the Iraqi's! Bad for us. And then I think about the idea that it seems like only yesterday when UAVs (unmanned arial vehicles) were high in the target for Chinese acquisitions. In fact, in 2010, the Defense Security Service reported in an unclassified report:"East Asia and the Pacific region were hosts to the highest number of intelligence collection attempts. “For the fifth year in a row, reporting with an East Asia and Pacific nexus far exceeded those from any other region suggesting a continuing, concerted, and growing effort to exploit contacts within United States industry for competitive, economic, and military advantage,” the report states."

We've experienced massive cyber thefts from our R&D EDUs, R&D centers, and OEMs. In the early days, the idea that new technology was obtained through cyber means was shocking. Today, not so much. The targeting of UASs (Unmanned Aerial Systems --the updated term for UAVs) today means stealing IP that allows for refined controls of the previously stolen systems --how can they be made better --navigation, targeting, optics. Regardless if for military or economic gain, the simple idea that these birds sell for a quarter of the price of our own and the skies will soon be full of them means jobs lost --and not just in the US, but also in the international supply chain. BT
As always, a busy week. Two new fusion reports were posted to the Red Sky portal. We've been using a new format with all of our new published reports. Members have had problems navigating the number of reports in our socially driven site. The engine isn't machine to machine, rather focusing on the human interaction. So to assist with some of the confusion, we've begun adding snapshot views to each of our products, as well as a cross reference of our previous reporting (links inside Red Sky - redacted for this post) and a link to our indicator database (open to all) where users can download indicators (https://www.threatrecon.co/search?keyword=FR16-011).

Our latest report focuses on Locky:

Executive Summary

In February 2016, the Dridex botnet was observed distributing a new ransomware variant named Locky. Since then, a number of Locky macros and downloaders have been leveraged to distribute the ransomware. This report describes recently observed Javascript Locky downloader that appeared in early March. Similar to Dridex, the delivery infrastructure consists of compromised bots, which send the malicious emails, as well as compromised websites that host the Locky payload.

This report includes technical details and mitigations on this Locky downloader variant and related infrastructure. Mitigations are offered at the end of this report.

Handling requirements:Traffic light protocol (TLP) AMBER. Recipients may only share TLP: AMBER information with members of their own organization on a “need-to-know” basis and only as widely as necessary to act on that information.

Attribution/Threat Actors:The Locky Javascript Downloader variant is a part of the Dridex/Locky botnet.

Actor Type:Adversary capabilities have been assessed as Tier II. Practitioners with a greater depth of experience, with the ability to develop their own tools (from publically known vulnerabilities).

As well, this time of year is always busy for us. We've offered membership to one more organization, and have proposals out with three others. Interactions in the portal seemed to have slowed a bit this spring, but we continue to populate it with intelligence, reports, commentary/analysis and actionable data. Even with the slowdown, we still see over 36% returns month over month, so I'm not complaining.

What's coming?

We're planning our first Cyber Symposium with a partner in Huntsville, AL. Wapack Labs and H2L Solutions -a DFAR assessment company performing NIST 800-171 assessments in the area will be hosting a Cyber Symposium for local companies on June 7th.

Two weeks later, we're doing our pre-summer quarterly Red Sky Alliance Threat Day at a member location in Stamford, CT.

It's busy. We like it this way.

The blog is getting long, so I'm going to take advantage of the sun up here in New England.

Tuesday, March 22, 2016

We've been doing a bit of R&D. Last week I announced a new tool (Cyberwatch(R))that we've fielded in it's minimally viable form, looking to get feedback. The thinking was, we wanted to see if there were correlations between the number of times we saw a company show up in our intelligence sources and their stock price.

The example we'd toyed with was a bit ambitious but it made for a great test case.

Here's what we did. We have approximately four years of back data. Every day we counted the number of times we saw "amazon.com" or any subdomain or IP addresses in our daily queries. We figured if we kept the model simple, anyone could understand it... I don't like complex algorithms --the only people who understand them are the people who write them. I wanted math that anyone could look at quickly and know what it meant.

Wapack Labs watched the intelligence space (dark web, chatter, etc.) during this time, and counted the number of times we saw anything associated with Amazon --and we plotted it on a moving timeline against the stock price in a chart resembling a stock chart. The result? We showed movement in both the cyber threat activity, and movement of the stock price (we recognize that there are many variables that make a company's stock price move, and Amazon's stock takes a lot to market influencers to make it move). There was a spike on August 4th, followed a short period when we lost eyes, and then an increase in underground 'chatter' shortly after as we watched circular reporting by other reporting outlets. The public reaction to the bad press was evidenced by the downward movement in the stock price. The underground activity? Was this targeting of Amazon because of the bad news? Not sure, but our chart clearly shows something.

So the question is, can increased cyber activity in the underground affect a company's stock price? Probably not directly, but what if the chatter that we monitor turns to action? Absolutely. Cyber isn't the only indicator that can be used to help predict stock movement, but certainly it's one that should be considered. And our experiment in identifying a new means of monitoring cyber intelligence as a leading indicator to potential damage to a company in the form of stock price movement, is proving very cool. Amazon's stock is affected by millions of variables, not just cyber, but what about the company who's price isn't as resilient to changes in a singular variable --like cyber activities focused on them?

On November 9th we saw a massive spike in activity as we slide our viewing window to the right. Why? We believe this was a lead-up to Black Friday, when folks were planning, talking about, exchanging tools and credentials that could potentially exploit retailers during the holiday season. Are we sure? No. Intelligence never is, but clearly, there's a massive spike and then a drop-off to nearly zero on the actual day --why? Bad guys need time off too, and they've already planted their tools. Now they simply sit back and collect the loot.

Activity remained fairly consistent throughout until after the holiday, then spiked again during return season, including a massive dump of credentials (AKA Pony Dump) that affected just about every large company --not targeted, but massive. We had to change the scale to show the massive number of times that we saw Amazon in our intelligence sources... from hundreds to thousands. The good news for Amazon? It wasn't just them. It affected everyone out there. A quick comparison of the average Cyber Threat Index(R) for the companies in the Dow Jones and S&P 500 (both shown on our website -cyberwatch.wapacklabs.com) show that the average large enterprise company was mentioned over 5000 times. Amazon actually faired better than most.

Figure 3: Amazon's Cyber Threat Index on the day of the "Pony" dump of credentials

We launched Cyberwatch(R) this week in bare bones format. There's a place to submit feature requests and bugs, but the idea is, subscribers will be able to monitor portfolios of companies in addition to their own. I'd encourage you to log in with your company domain and a stock ticker if you have one. Viewing the graphics and looking at industry or geographic trends won't cost you anything, but pulling the actual intelligence behind the graphics will.

Our thinking in this is simple... Boards, CEOs and CFOs want to know how all that money they're spending on security affects the profitable operation of the business, the stock price, and value to the shareholders. CIOs, CISOs, and techies want to know how to fix the problems that their CEO's are aware of (hopefully before he or she asks). Because we monitor non-public sources, the graphics are often times leading indicators of potential threats. Is it actionable? You bet. If you see five threats (shown in Figure 2) on that particular morning when you're monitoring the Cyber Threat Index(R) for that day, according to our sources, you have five things to monitor for or block before you finish your first coffee in the morning.

Your money guys know you've seen the problems and fixed them. They also know they can monitor their threat activity levels for spikes and have awareness of how it might affect the company. And investors and portfolio managers now have (admittedly early maturity) a tool that can be used to measure risk before they invest.

While not a perfect science, predicting the stock market never is, we clearly show intelligence (primary sourced --not circular reporting or social media) activity increasing shortly after the the NY Times called out Amazon as a harsh place to work. Is it related? Not sure. But certainly there's a corresponding movement in Amazon's stock price during the timeframe. And one sample isn't nearly enough to be able to show a 1-to-1 correlation, but for any investor considering the purchase of a large block of stock, or an M&A, monitoring a portfolio deal, or supply chain, I'd think that the idea that price of that new investment can be influenced by movement in what we're calling (and trademarked and now patent pending) Cyber Threat Index(R), is actually pretty cool. If this works --and I suspect it will, there's now a cyber means of identifying trends that *could* move stock prices, and for any executive or board wanting to understand the value of the security required (and funded), they can monitor that activity by simply watching the trend line.

This is a bit unusual, but it's one of the reasons we did't take external investments. We want to be able to experiment and find new ways to transcend things like the language barrier, and how CISOs show the value of their spend and efforts, and how companies translate security posture wording into something their investors understand. Is it perfect? Not by a long shot. Is it promising? You bet.